Eric Parizo: Hi. I'm Eric Parizo. It's great to have you with us. We're here with Bob West and Paul Simmons, both members of the Jericho Forum Board of Management. Gentlemen, thank you so much for being with us today.

Bob West: Thank you.

Paul Simmons: Thank you.

Eric Parizo: As Cloud computing has become more prevalent, I know the Jericho Forum has emphasized the security and integrity of data over the security and integrity of networks themselves. Tell us a little bit about why that change is so important.

Bob West: As I was saying earlier, most organizations historically have looked at their computer networks and thought that there were very clear borders, and cloud computing, I think, is one of the longest extensions of the principle that says my data and information may not necessarily reside within my infrastructure and so going back and understanding, so if I'm using a cloud model, what applications am I putting in the cloud and what information is sitting there? So if I have something that's a mission critical system or something that has customer information in it, I need to understand where does it sit and what are the controls that I need to put around it, Paul?

Paul Simmons: Yeah, I mean the Jericho Forum principle is the closer you can get to the asset at risk, the easier it is to protect it. So that's, again, a motherhood and apple pie statement. But if you think about it, I mean, you don't protect the President of the United States by beefing up the border guards at the airport. Secret Service does close protection. The principles are exactly the same with computing. The closer I can get to protecting it, so, if I'm going to protect a server in the middle of my organization, actually I should be putting the protection around it, rather than beefing up my perimeter security because I've got this huge multitude of sins that comes through my perimeter.

Bob West: Yeah, so I mean, the server irrespective of where it sits, whether it's within the organization or in the cloud, you're going to protect it the same way; it's functioning at a principle level.

Paul Simmons: Yeah, so again, you know, if you then look at how I'm going to architect, with my rule for architecture, it's pretty straightforward. Actually I architect for my worst possible case which is, can I run this server on the raw Internet. And if I can make it work on the raw Internet, it's just going to work better when it's back inside my organization, but the principle is exactly the same. I architect the worst case, and the crazy thing is, you look at Victorian engineering. When they built bridges, it was really simple. They looked at the worst possible thing that could happen, the worst possible weather conditions, the worst possible everything, loads that went over it. They doubled it and then built their bridge. With computing, of course, we go, "Well, that's probably about right." You know, we've forgotten those basic engineering principles of design for worst case. And we just need to get back to them.

Eric Parizo: Jericho has said that identity and access management technology has to change in order to successfully secure cloud computing. What needs to happen in both the short and the long term in order to make that a success?

Paul Simmons: OK. The quick answer is a lot. The longer answer is we need to move to an identity-based structure. The concept of "I know which IP address you're coming from" or "Because you reside inside my organization I can therefore control you" actually just doesn't work in a de-perimeterized or a cloud environment because you're coming from a public IP address on a bit of network that I don't control. The actual network level controls become totally irrelevant and therefore actually things like border firewalls becoming increasingly irrelevant. They're great for keeping out scripts and the lumps on the Internet, but they're useless at doing any kind of user level access control.

So, in terms of what we need to do, we need to start moving all our applications to actually proper user level access control. And that means being able to need to prove who I am. Now, if I own everybody in my organization, that's really easy because I'm running probably active directory if you're in a large corporate or something like that. So, I control those people. The trouble is, that was a great model for five or ten years ago when you employed staff or you didn't employ staff, but now we employ people umpteen different ways, contractors, temporary staff, staff on fixed term contracts, you name it, and of course, we're working in partnerships with so many companies that we need to be able to federate. Because I can't, you know, if I've got 6,000, 8,000, 10,000 staff who aren't full time on payroll, I've got to manage them somehow.

Today what we can do is we can federate, we can extend our individual authentication systems out into the Internet, but actually in the future that isn't going to scale. We have to move to a claims-based system. So, where the future is going, if this is going to work, certainly in cloud or anything outside of your organization, it's got to be claims based. For example, let's say I want to offer drug information out to a German doctor. Now, the German health authorities publish who's a doctor, and there is an organization out there called Doc Check which you can subscribe to which basically says, so I have someone coming into a system that I own and the condition of giving them the information is "are they a German doctor?"

So they make a claim that says "I am a German doctor," and we can test that claim against Doc Check in Germany, and therefore if they pass that claim, that's it, we give them the document. We don't need to know their name. We don't need to know anything else about them. We don't need to know their age or where they live or whatever. They make a claim, we check the claim, we give them the document if it passes the check, end of story. And that's the way it's got to work in the future if this is truly going to be extensible.

Eric Parizo: Now, going back to your example though, are you saying that you're conducting the check, or are you essentially trusting someone else to conduct that check for you?

Paul Simmons: Ultimately, no, it's about trusting the third parties that are going to provide that check. So ultimately, the same ways we trust, for example, an SSL certificate today, so the padlock on the bottom of the browser, when I go to a secure site, I trust that there is, when it comes up with the padlock and the green bar at the top of my browser, that actually that is a chain of custody effectively, that goes back to some root authority that we trust.

Just as we trust that for our padlock and our green bar on our browsers, that is exactly the same. It's my organization trusts this checking organization. It might be, "Am I 18" because I've got to be an adult to check this site. So, maybe the claim is "I am an adult" and you go off to whichever site it is. It might be a government site. It might be a third- party site. It doesn't really matter. You, as an organization, say, "If I'm going to give this information out I then trust the organization that is validating the claim."

Bob West: So, in the United States, an example people might relate to would be if someone is getting credit extended to them by a financial institution, the financial institution is going to go to one of the credit bureaus to understand, "Is Bob worthy of having credit extended to him?" and people trust the entities, the Experians and Equifaxes of the world to say they have accurate information about Bob, and so it works the same way in terms of principles, in terms of what Paul's describing in the computing infrastructure world.

Paul Simmons: Yeah.

Eric Parizo: Finally, what's your best advice for organizations that are considering cloud computing and are concerned about cloud computing security?

Bob West: One of the things I think that most organizations are doing right now is they are looking at cloud computing as the Holy Grail and "My competition is moving to cloud computing; therefore, I should" without understanding the risks associated with cloud computing. And so, I think using something like the self-assessment scheme is something that can really be a valid way to say, "Does this make sense for me?" I mean, "Is it, in fact, something that's going to help solve a fundamental business problem?" At the end of the day, as Paul was saying earlier, the basic premise is to help address business functions, and if you're looking at it that way then I think organizations can be successful in terms of moving to a cloud model that makes sense for them.

Paul Simmons: I'd say four things, or four pieces of information or resources to use. One is get the CSA document. Two is get the Jericho Forum documents on what we call the "Cloud Cube Model". That allows you to understand where the vendor is playing in the cloud space because every man's clouds actually are very unequal. Take that, mix it with the commandments, and then use the self-assessment document. If you take those four pieces of information, you should end up with a much better solution than you would have otherwise had.

Eric Parizo: Bob West and Paul Simmons of the Jericho Forum. Thank you both so much for joining us today.

Bob West: Thank you.

Paul Simmons: Thank you.

Eric Parizo: And thank you for joining us as well. A reminder, you can find more of our videos at SearchSecurity.TechTarget.co.uk. I'm Eric Parizo. Stay safe out there.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy